Cybersecurity researchers have disclosed three security flaws within the widespread Sitecore Expertise Platform (XP) that could possibly be chained to attain pre-authenticated distant code execution.
Sitecore Expertise Platform is an enterprise-oriented software program that gives customers with instruments for content material administration, digital advertising, and analytics and reviews.
The record of vulnerabilities, that are but to be assigned CVE identifiers, is as follows –
- Use of hard-coded credentials
- Publish-authenticated distant code execution through path traversal
- Publish-authenticated distant code execution through Sitecore PowerShell Extension
watchTowr Labs researcher Piotr Bazydlo mentioned the default consumer account “sitecoreServicesAPI” has a single-character password that is hard-coded to “b.”
Whereas the consumer has no roles and permissions assigned in Sitecore, the assault floor administration agency discovered that the credentials could possibly be alternately used towards the “/sitecore/admin” API endpoint to sign up as “sitecoreServicesAPI” and procure a sound session cookie for the consumer.
“Whereas we won’t entry ‘Sitecore Purposes’ (the place a good portion of performance is outlined) because the ServicesAPI has no roles assigned, we will nonetheless: (1) Entry numerous APIs, and (2) Move by means of IIS authorization guidelines and immediately entry some endpoints,” Bazydlo defined.
This, in flip, opens the door to distant code execution through a zipper slip vulnerability that makes it attainable to add a specifically crafted ZIP file through the “/sitecore/shell/Purposes/Dialogs/Add/Upload2.aspx” endpoint and causes the archive’s contents (e.g., an internet shell) to be written to the webroot listing.
All the sequence of actions is listed beneath –
- Authenticate because the “sitecoreServicesAPI” consumer
- Entry Upload2.aspx
- Add a ZIP file, which comprises an internet shell known as //../<web_shell>
- When prompted, verify the Unzip choice and full the add
- Entry the net shell
The third vulnerability has to do with an unrestricted file add flaw in PowerShell Extensions that can be exploited because the “sitecoreServicesAPI” consumer to attain distant code execution by means of the “/sitecorepercent20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx” endpoint.
watchTowr identified that the hard-coded password originates from throughout the Sitecore installer that imports a pre-configured consumer database with the ServicesAPI password set to “b.” This transformation, the corporate mentioned, went into impact beginning model 10.1.
This additionally signifies that the exploit chain solely works if customers have put in Sitecore utilizing installers for variations ≥ 10.1. Customers are probably not impacted in the event that they have been beforehand operating a model previous to 10.1 after which upgraded to a more moderen weak model, assuming the previous database is being migrated, and never the database embedded throughout the set up bundle.
With beforehand disclosed flaws in Sitecore XP coming below lively exploitation within the wild (CVE-2019-9874 and CVE-2019-9875), it is important that customers apply the newest patches, if not already, to safeguard towards potential cyber threats.
“By default, latest variations of Sitecore shipped with a consumer that had a hard-coded password of ‘b.’ It is 2025, and we won’t imagine we nonetheless need to say this, however that is very dangerous,” Benjamin Harris, CEO and founding father of watchTowr, informed The Hacker Information in an announcement.
“Sitecore is deployed throughout hundreds of environments, together with banks, airways, and international enterprises – so the blast radius right here is huge. And no, this is not theoretical: we have run the complete chain, end-to-end. In the event you’re operating Sitecore, it does not worsen than this – rotate creds and patch instantly earlier than attackers inevitably reverse engineer the repair.”
